March 2010 Security Bulletin Release – follow up

Following on from the early March post regarding Windows update releases, further feedback sessions hosted by Microsoft resulted in the following Q and A summary.

Q:What is it about the Internet Explorer Pressing the F1 key that would trigger a VBScript vulnerability allowing for attacks?

A: The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. pressing the F1 in IE brings up the help window. For more information please see the security advisory (https://www.microsoft.com/technet/security/advisory/981169.mspx)

Q:Did Microsoft re-release KB 973917? If so, do we need to reapply this patch?

A: Yes, Microsoft did re-release KB 973917. The known issues addressed in this re-release can be reviewed in depth in KB article 973917. If you are running Windows Server 2003, we do recommend reinstalling this update as it addresses a memory leak present in the previous update that only becomes apparent when using Extended Protection for Authentication. For Windows Server 2008 users, we recommend reinstalling this update if you are currently using IIS with kernel-mode Windows authentication enabled, or with plans to use kernel-mode authentication in the future. On systems with this functionality present, the old version of the patch did not successfully enable Extended Protection for Authentication.

Q: I use Macintosh computers with Microsoft Office 2008, should I be concerned about its usage following the release of MS10-017?

A: The bulletin article for MS10-017 describes the vulnerabilities that affect Microsoft Office 2008 for Mac and also provides the patch information. Please visit this link to get additional information. https://www.microsoft.com/technet/security/bulletin/ms10-017.mspx

A: Windows Update only updates Windows Components. MS10-017 is an office update, so Windows Update does not offer support. If you choose to use “Microsoft Update” and allow updates for products other than Windows, then this is fully supported.

Q:I have noticed on my WSUS 3.0 servers that MS10-015 has 2 updates for many of the 32bit Operating Systems this is the update that causes a blue screen with the presence of a root kit virus. I held off approving but am considering approving now. Since there are 2 updates for some of the Operating Systems, which should be approved? One update has zero need while the other has most computers needed. Also, did the update with zero, require the original update with modified Meta data? Does the update with most computers require a replacement? Will the revision not cause a blue screen if the root kit is present allowing an orderly removal? Can you provide guidance?

A: The revised MS10-015 – revised 02 March 2010 – contains detection logic to prevent it installing on machines exhibiting possible symptoms of incompatibility. You should consider approving and deploying this version rather than the original 09 Feb 2010 version.

A: As listed in security bulletin MS09-033, Virtual PC Mode and Virtual PC 7 on Windows 7 are not affected by this vulnerability. Both of these products use Hardware Assisted Virtualization (HAV )-technology, which is not affected by this specific issue. Also, for MS10-010, this affected Hyper-V technology only, which is a distinct technology and not used by any version of Virtual PC.

Q:On one of the recent SRD blogs I read that Windows help files are inherently not so safe. Are there mitigations available?

A: Windows Help files are already considered “unsafe file types” per KB article 291369. This means that the scenarios in which these files can be successfully used are already greatly limited. This already greatly reduces the risk posed by these files. Based on this security advisory, Microsoft will of course continue to evaluate future possible opportunities to limit the scenarios in which these files can be used.

Q: Where in the registry are the settings kept when a user runs Windows Update/Microsoft Update/Automatic Update (WU/MU/AU) and selects that an update not be offered?

A: The artifacts that our detection tools look for to verify the installation of an update vary. The main items are listed in the bulletins under the “Security Update Deployment” section, where we generally list “Registry Key Verification” and link to file verification information in the matter KB for the bulletin.

Q: MS10-017 replaces MS09-067. The Excel 2003 update caused several spreadsheets to have an error. Several users reported: An “Important” patch that blocked macros form doing things to locked cells and messed up a few of our critical spreadsheets. At that time we declined the update. Does MS10-017 correct this issue?

A: This issues has been fixed in MS10-017 and further information can be obtained at https://support.microsoft.com/kb/973593 and https://support.microsoft.com/kb/973475

A:KB 976569 is a non security, optional update on Windows Update. Non-security updates never supersede security updates as they usually contain additional fixes not related to security.

Q: Live OneCare online scanner not able to remove detected malware on system configuration utility under startup tab. Is this only available through online tech for removal or are there Microsoft security products that are able to remove after scan?

A: It really depends on the malware. The Live One Care online safety scanner should be able to remove most auto-run points, as do our full install products like Security Essential and Forefront Client Security. Some really tricky pieces of malware require a reboot to clean an infection so that they can remove the startup points before they are fully enabled. The full install products generally have more capabilities with this type of behavior.

Q: What about MS10-015 from last month. The general recommendation in the industry was to not push this patch. Has it been fixed?

A: The revised MS10-015 – revised 02 March 2010 – contains detection logic to prevent it from installing on machines exhibiting possible symptoms of incompatibility. You should consider approving and deploying this version rather than the original February 9th version.

Q: MS10-016 – Embedded XP – Movie Maker 2.1: I know the KB 975561 says all version of XP affected, does this always mutually included Windows XP embedded. We say that Windows Movie Maker 2.1 is Inbox / comes with XP – does this also include XP embedded?

A: Check with your embedded system provider. These are very customized builds, and the vendor will specifically add and remove components based on the configuration.